Many of our healthcare clients, particularly laboratories and physicians, are involved in clinical research studies. They may be the sponsors of such research or they may be asked to participate and contribute data to the studies. It has been our experience that some healthcare providers, both sponsors and participants in the studies, overlook or are not aware of the HIPAA and other privacy issues of patients, particularly in studies that involve a retrospective review of data.

Many of these retrospective data reviews involve IRB approval that addresses both the patient research consents as well as the HIPAA and other privacy authorizations. Under certain circumstances, the HIPAA specific research authorizations can be waived if the IRB considers the privacy issues and specifically determines that obtaining the authorizations is impractical and that the risk to patients is acceptably low.

However, we have found that the IRB approval may not be broad enough to encompass the participants who are contributing data, the patient categories, or even the purpose of the study. A non-infrequent situation involves IRB approval for a retroactive review of hospital inpatient and outpatient laboratory testing in an academic medical center, pursuant to which the IRB determines that HIPAA authorizations are not required from the patients. The study participants decide to expand the study and include data from testing for non-hospitalized patients of members of the medical staff of the center, or perhaps even from other physicians in the community. In this situation, the existing IRB is inadequate for the expanded study, placing the sponsor and participants at risk for violation of HIPAA.

We strongly advise that all study sponsors and participants carefully review the HIPAA and privacy issues that arise in the context of such studies, ensuring that either appropriate HIPAA authorizations are in place, or there is adequate IRB approval waiving the requirement for the HIPAA authorizations.